v3.0.7

🐛 Bug Fixes

• 9ff26ef - [alphaMountain] catch the error output (commit by @adulau)

MISP Modules Update: Enhanced QR Code Support, New Validin Module, and Improved Data Enrichment - v3.0.6

Release Notes - v3.0.6

Release Date: February 26, 2026

New Modules & Features

• Validin Expansion Module: Added a new expansion module for Validin MISP integration.
• QR Code Support: The QR Code module now supports remote URLs with integrated security hardening.
• HTML to Markdown: Added support for raw HTML conversion within the html-to-markdown utility.
• Branding: Updated the official MISP modules logo.

Refactoring & Improvements

• IPQualityScore Module: Significant refactoring to improve readability and error handling. Now supports additional input attributes including Username and File.
• PDF Conversion: Enhanced the convert-markdown-to-pdf tool to sanitize raw HTML into literals.
• Documentation: Updated README with expanded input parameters and corrected Validin documentation.
• Code Quality: Extensive linting across the codebase using ruff, flake8, and Pylint (achieving a 10/10 score in several modules).

Bug Fixes

• OTX Module (Critical): Fixed inverted logic in the isBlacklisted() function. Previously, the module incorrectly filtered out legitimate results; it now correctly returns True only when a value is found in the blacklist. This restores functionality for:
  • IP passive DNS lookups
  • Hash malware domain lookups
  • Domain enrichment
• Markdown Styling: Fixed E261 formatting issues in the Markdown-to-PDF conversion tool.

misp-modules v3.0.5 — Modernized Web Interface, Cleaner Mappings, and New Enrichment Capabilities such as Reversing Labs and Sentinel

misp-modules v3.0.5 — Release Notes

Release date: 2025-12-23

Changes

• [release] Version 3.0.5 released. (Alexandre Dulaunoy)

Fixes

• Limit input types to supported hash types (md5, sha1, sha256). (Paul Venne)
• Update User-Agent format and version in rl_enrichment.py. (Paul Venne)
• Add repository and support information to rl_enrichment.py. (Paul Venne)
• Remove unused IOC-specific metadata from summary formatting. (Paul Venne)
• Update MAPPING_RULES for domain consistency and disable deterministic UUID computation. (Paul Venne)
• Update MISP_TYPE_MAPPING and response handling for improved data normalization. (Paul Venne)
• Update comment order in MAPPING_RULES for file-object and file-analysis:
  • Prioritize SHA1 over SHA256 and MD5 in object comments.
  • Ensure MD5 references are correctly formatted in file-object mappings. (Paul Venne)
• [website] Poetry and main adjustments. (David Cruciani)

Other

• Merge PR #754: Add ReversingLabs Enrichment module. (Alexandre Dulaunoy)

  • Comprehensive IOC enrichment for file hashes, domains, IPs, and URLs
  • Declarative JSON mappings for flexible MISP object creation
  • Support for nested objects and relationships
  • Automatic MISP type detection and validation
  • Built-in error handling and SSL verification options

• Rename tests to match renamed module. (Paul Venne)

• Update module description and name for clarity. (Paul Venne)

• Optimized and verified with ruff and flake8. (Paul Venne)

• Refactor code structure for improved readability and maintainability. (Paul Venne)

• Fix documentation: correct supported hash types. (Paul Venne)

• Add ReversingLabs logo and enrichment module documentation. (Paul Venne)

• Add unit tests for ReversingLabs module functionality. (Paul Venne)

• Remove unneeded folders. (Paul Venne)

• Merge PR #753: Refactor Rapid7 AttackerKB module version and details. (Alexandre Dulaunoy / jrecinsky-r7)

  • Updated module version and improved documentation.

• Merge PR #728: Reorganize and manage assets with Vite. (David Cruciani / Cormac Doherty)

  • Introduce Vite-based asset management
  • Rebuild/replace vendor assets and JavaScript bundles
  • Remove unused Bootstrap and FontAwesome assets
  • Update templates and asset paths
  • Standardize asset structure

• Merge PR #751: Migrate website to Poetry and simplify architecture. (David Cruciani / Cormac Doherty)

  • BREAKING CHANGE: Configuration moved to .env
  • Replace requirements.txt with pyproject.toml and Poetry
  • Consolidate website entrypoint to website/main.py
  • Add Gunicorn WSGI support and systemd service templates
  • Improve configuration handling, logging, and linting
  • Remove legacy configuration and launcher files

• Merge PR #750: Synchronize with Microsoft Sentinel or Defender. (Alexandre Dulaunoy / Koen Van Impe)

  • Add and update export_sentinel.py
  • Wrapper support for existing MISP2Sentinel and MISP2Defender setups

MISP-modules: Enhancements to YARA Syntax Validation (v3.0.4)

This minor release, v3.0.4, focuses primarily on internal code quality and validation logic, ensuring a more robust experience, especially concerning YARA rule syntax.

Key Improvements

The majority of changes involve a significant refactor of the YARA syntax validator. This unification and refinement of the validation logic brings several benefits:

• Improved Validation Logic: The logic has been centralized and unified within a single handler function for better maintainability and reliability.
• Enhanced YARA Handling: Improvements include better support for handling auto-imports and external YARA variables.
• Code Quality: Several minor fixes were applied to improve code readability, fix indentation issues in return statements, and update version/author information within the validator module.

These changes help ensure that YARA rules are validated more accurately and consistently within the platform.

MISP Modules v3.0.3 Release Notes (2025-11-19)

This release introduces several new modules and integrations and significant updates to vulnerability parsing, along with various fixes and improvements across the modules.

✨ New Features

• Nextcloud Talk Action Module: A new action module has been added to integrate with Nextcloud Talk, developed during the 2025 hackathon.lu.
• Any.Run Sandbox Integration: Implemented sandbox import and expansion modules, including an API wrapper, for enhanced integration with Any.Run.
• AssemblyLine Module Updates & Refactor: Enhanced the AssemblyLine module with a new API wrapper for improved authentication, submission handling, query management, and error handling.
• OpenAPI Interface and Swagger UI: Added functionality to expose the OpenAPI specification and Swagger UI for the misp-modules service, improving API discoverability.
• Rapid7 AttackerKB CVE Lookup Module: Integrated a new expansion module for looking up CVE information using Rapid7 AttackerKB.
• SophosLabs Intelix Update: Fixed template issues, improved readability, and added region support to the SophosLabs Intelix Expansion module.
• CrowdStrike Falcon Metadata Capture: Added basic metadata capture for the Falcon expansion module.

🚀 Enhancements & Changes

Vulnerability Parsing Updates

• Expanded Vulnerability ID Support: The vulnerability_parser now supports GCVE, CERTFR, and CNVD vulnerability IDs.
• Vulnerability-Lookup Integration: Improved integration with vulnerability-lookup by reusing the vulnerability object creation method to add a reference with the vulnerability ID to every created vulnerability object.
• Better Description Parsing: Enhanced vulnerability description parsing from the fkie source.

General Improvements

• Next-Gen Installation: Added the uv installation method to allow installing MISP Modules on systems that might not meet the required Python version dependencies.
• Hostname Fix: Removed trailing dots from DNS records to ensure they are valid hostname MISP attributes.
• Documentation & Workflow: Updates to documentation (mkdocs and general docs) and internal GitHub workflows, including Python 3.9 End-of-Life removal and handling for libpoppler dependencies.
• Dependency Management: Bumped the poetry lock file with the latest versions.
• Export Module Fixes: Fixed yara export in osqueryexport.py and added functions around various attributes (ip-dst, ip-src, filename, etc.).
• Refactorings: Various code cleanup and refactorings, including for btc_steroids and virustotal.

🛠️ Key Fixes

• API Configuration:
  • Fixed the urlhaus module by adding the missing auth_key argument to all parsers.
  • The expansion module now requires the auth_key configuration to connect to abuse.ch API services.
• Module Logic & Validation:
  • Fixed a bug in crowdstrike_falcon (clean-up).
  • Fixed an issue in the anyrun module (empty f-string fix).
  • Fixed an issue in the cve module (typo for the logo).
  • Excluded private modules from validation in the is_valid_module function.
  • Resolved potential duplicates with references mentioned in the fkie description in the vulnerability parser.
  • Fixed missing config in url-import.
• CSV Import: Added a missing field in the additional header and fixed a MISP Event variable name in csvimport.
• Code Clean-up: Removed unused imports in assemblyline and fixed linter concerns for the new Nextcloud module.
• Testing: Ensured Python files starting with _ are correctly excluded from tests.

v3.0.2

🐛 Bug Fixes

• 03c1f47 - remove empty variables and improve JSON compatibility (commit by @ostefano)
• 183f61c - [account] login admin user (commit by @DavidCruciani)
• 2a14be5 - [typo] tab_list on query page (commit by @DavidCruciani)

v3.0.1

✨ New Features

• 56eb72d - add new version API endpoint (commit by @ostefano)

v3.0.0

new: first 3.x release

Changes:
- add support to custom 'out-of-package' MISP modules
- new extra '[all]' installs dependencies required by all modules
- default package installs only workflow-required dependencies
- remove all dependencies located in git repositories
- enforce single approach to discover package and file system modules
- add pre-commit hook to run black, isort, and flake8
- logging captures deprecation warnings
- flake8 linter runs against all modules
- remove custom module discovery logic when building the documentation
- remove all exported symbols where not needed

v2.4.201

chg: [deps] Remove pyfaup

v2.4.200

🐛 Bug Fixes

• 3033525 - [yara_query] description fixed (commit by @adulau)
• 63cffa2 - [vulnerability_lookup] Updated API url (commit by @chrisr3d)
• 8acd890 - [vulnerability_lookup] Fixed potentially missing fields in the GSD description of a vulnerability (commit by @chrisr3d)
• 97f6afc - [vulnerability_lookup] Better reference between vulnerability and weakness objects (commit by @chrisr3d)
• 9f1efde - [reversedns] add the ip attribute type (commit by @adulau)
• 6d29742 - [vulnerability_lookup] Quick fix on a typing and an indentation (commit by @chrisr3d)
• 8b5e1ce - [tests] Updated test for the cve module following its recent changes (commit by @chrisr3d)
• 48fdd50 - [init] onion_lookup module added + clean-up of the list (commit by @adulau)
• ab94e11 - [onion_lookup] add a name field to the module info (commit by @adulau)
• 3bb66ba - [taxii21] Updated module (commit by @chrisr3d)
• 658fcce - [import modules] Added some required fields for required user config (commit by @chrisr3d)
• 625bc68 - [poetry] Rebumping lock file after merge conflict (commit by @chrisr3d)
• 44a915f - [security] Disable local file access and JS execution for wkhtmltopdf (commit by @mokaddem)